www.belgium.be Logo of the federal government

WARNING: MULTIPLE VULNERABILITIES IN NETGEAR ORBI ROUTERS (1 CRITICAL, 2 HIGH), PATCH IMMEDIATELY!

Référence: 
Advisory #2023-34
Version: 
1.0
Logiciels concernés : 
Netgear Orbi routers
RBR750/840/850 prior to 4.6.14.3
RBS750/840/850 prior to 4.6.14.3
RBR860 prior to 7.2.4.5
RBS860 prior to 7.2.4.5
RBRE950/960 prior to 6.3.7.10
RBSE950/960 prior to 6.3.7.10
Type: 
Command execution, Man in the Middle Attack
CVE/CVSS: 

CVE-2022-37337 (9.1)
CVE-2022-36429 (7.2)
CVE-2022-38452 (7.2)
CVE-2022-38458 (6.5)

Date: 
24/03/2023

Sources

https://kb.netgear.com/000065417/Security-Advisory-for-Command-Injection-on-Some-Orbi-WiFi-Systems-PSV-2022-0187
https://kb.netgear.com/000065424/Security-Advisory-for-Command-Injection-on-Some-Orbi-WiFi-Systems-PSV-2022-0188
https://kb.netgear.com/000065567/Security-Advisory-for-Post-authentication-Command-Injection-on-the-RBR750-PSV-2022-0186
https://kb.netgear.com/000065428/Security-Advisory-for-Cleartext-Transmission-on-Some-Orbi-WiFi-Systems-PSV-2022-0189

Risques

Cisco Talos researchers published Proof-of-concept (PoC) exploits for multiple vulnerabilities in Netgear’s Orbi 750 series router and extender satellites.

Netgear Orbi are mesh Wi-Fi systems designed to provide reliable Wi-Fi coverage for home or business users. The system consists of a main router and multiple satellite units that work together to create a seamless Wi-Fi network that can cover a wide area.

3 of the vulnerabilities could lead to arbitrary command execution, the fourth vulnerability can lead to a Man-In-the-middle attack.

Netgear released a firmware patch on January 19, 2023, and is not aware of attacks in the wild exploiting these flaws.

Cisco also released Snort rules (60474 – 60477 and 60499) to detect exploitation attempts against this vulnerability.

The Centre for Cyber security Belgium recommends system administrators to patch vulnerable systems as soon as possible and to analyse system and network logs for any suspicious activity. If you have already identified an intrusion or incident, please report it via: https://cert.be/en/report-incident

Description

CVE-2022-37337 is a critical command execution vulnerability. The attacker needs to send a specially crafted HTTP request. CVE-2022-37337 requires an established foothold on the victim’s network as a prerequisite.

CVE-2022-36429 and CVE-2022-38452 are both arbitrary command execution vulnerabilities. CVE-2022-36429 requires an adversary to craft a special JSON object, whilst CVE-2022-38452 requires a specially crafted network request to be exploited.

CVE-2022-38458 can facilitate a man-In-the-middle attack and does not require any privileges in comparison to the previous mentioned vulnerabilities.

Actions recommandées

The Centre for Cyber security Belgium recommends system administrators to patch vulnerable systems as soon as possible and to analyse system and network logs for any suspicious activity.

If you have already identified an intrusion or incident, please report it via: https://cert.be/en/report-incident

Plus d’information

https://blog.talosintelligence.com/vulnerability-spotlight-netgear-orbi-router-vulnerable-to-arbitrary-command-execution/
https://nvd.nist.gov/vuln/detail/CVE-2022-36429
https://nvd.nist.gov/vuln/detail/CVE-2022-38452
https://nvd.nist.gov/vuln/detail/CVE-2022-37337
https://www.tenable.com/cve/CVE-2022-38458